Coming October 25: PeerSpot Awards will be announced! Learn more
2020-01-05T07:29:00Z
Julia Frohwein - PeerSpot reviewer
Senior Director of Delivery at PeerSpot (formerly IT Central Station)
  • 0
  • 131

What needs improvement with Vectra AI?

Please share with the community what you think needs improvement with Vectra AI.

What are its weaknesses? What would you like to see changed in a future version?

15
PeerSpot user
15 Answers
FH
Head of IT Security, Acting CISO at a retailer with 10,001+ employees
Real User
Top 20
2021-10-14T20:04:00Z
14 October 21

If you hit a certain number of rules, triage filters, or groups, the UX responds more slowly. However, we have a complex network and a lot of rules. So, our setup might not be a typical implementation example. We even had UX engineers onsite, and they looked at issues, improvements, and user feedback. Since then, it has gotten a lot better, they even built in features that we specifically requested for our company. We know that Vectra AI sensors for cloud IaaS deployments have been released and we are planning to deploy those shortly.

Search for a product comparison
TS
Senior Security Engineer at a manufacturing company with 10,001+ employees
Real User
Top 20
2021-07-01T16:53:00Z
01 July 21

They use a proprietary logging format that is probably 90% similar to Bro Logs. Their biggest area of improvement is finishing out the remaining 10%. That 10% might not be beneficial to their ML engine, but that's fine. The industry standard is Zeek Logs or Bro Logs, or Bro or Zeek, depending on how old you are. While they have 90% of those fields, they're still missing some fields. In very rare instances, some community rules do not have the fields that they need, and we had to modify community rules for our logs. So, their biggest area of improvement would be to just finish their matching of the Zeek standard. They could provide distributed endpoint logging capability. We have a lot of remote workers nowadays in the day of the pandemic. If they're not connected to our VPN, then we're not capturing that traffic. So, the ability to do the traffic analysis for endpoints that are distributed would be cool. I have no idea how they would do that. I'm not aware of a single vendor that does that, but it would be cool if they could do that. To my knowledge, that's not really possible with the amount of compute power it would take on endpoints. It would be ridiculous. They'd have to really invent something new and novel that doesn't exist today in order to accomplish that. If they do, that would be great. Because I'm a customer already, I would use it. Cost-wise, they're not cheap. They were definitely the most expensive option. Their licensing model is antiquated. We have to pay for licensing based on four different things. They need to simplify their licensing down to just one thing.

PR
Head of Information Security at Winterflood Securities
Real User
Top 20
2021-05-19T13:11:00Z
19 May 21

Integration with other security components needs improvement. It should have true integration as opposed to just being a separate pane of glass.

BV
Project Manager at a university with 1,001-5,000 employees
Real User
Top 10
2020-10-29T10:12:00Z
29 October 20

The solution’s ability to reduce false positives and help you focus on the highest-risk threats is mostly good. It is still a bit of work in process, but I can give feedback to the company from the help desk. There is follow-up from the Vectra team who follows it closely. We can also give a lot of inputs to make it still a better product. It's already a very good product, but in comparison with a lot of systems I used in the past, the false positives are really a burden because they are taking a lot of time at this moment. The Office 365 integration is still a pretty new feature. I also have seen some improvements, and they email us with every step in the improvement process. I think that this integration will grow. Every area has room from improvement. Security is an ongoing process. It is important for Vectra to keep updating their system based on new behaviors. We would like to see the combination of the cloud with on-premise, e.g., what's happening in the cloud versus what's happening in the on-premise situation. If there is a phishing mail in the cloud, then the phishing mail comes in and a colleague clicks on that mail. Normally, it would be blocked by the system. However, when it's not blocked, then there can be malware on the system locally. We think it's important to get the integration of what's happening on Office 365 with phishing mails. Sometimes, it is a bit noisy on the dashboard because all the systems are on one field. On the dashboard, we have a complete overview of high, medium, and low risks. However, it would be more interesting for us if they could split that dashboard into high, medium, and low devices. For example, there is a dashboard on a device with a complete overview specifically for high-risk.

SW
Operational Security Manager at a financial services firm with 1,001-5,000 employees
Real User
Top 20
2020-10-21T04:34:00Z
21 October 20

Vectra is still limited to packet management. It's only monitoring packet exchanges. While it can see a lot of things, it can't see everything, depending on where it's deployed. It has its limits and that's why I still have my SIEM. I am in contact with the Vectra team, if not weekly then on a monthly basis, to propose improvements. For the time being, the main improvement I can see would be to integrate with more external solutions. Since Vectra provides an API, that should be quite easy to handle. For example, we're using an open source ticketing system within our team and I want to have it handled properly by Vectra. We'll go forward on that with the API. Another area for improvement that I have pinpointed is that the Office 365 solution and the Detect solution cannot match the same users. That means we have two "different worlds" currently, the world from Office 365, which is bringing alerts based on users' emails and email addresses. And we have the network world, which is bringing an Active Directory view. On the one hand we are seeing emails or email addresses, and on the other hand we are seeing things like logons on to the domain controller. From time to time, it does not match and the tool cannot currently cross-check this info and consolidate everything. I would like to be able to see that detection related to one workstation and covering a user: what he is using, what services he is using, and what he did with his Office 365 and configuration. That would help. Another major feature would be to have all logs pushed to Cognito Detect, and all these logs should be also pushed to Recall. Currently, within Recall, I can't call up the Office 365 detections and I would love to do so. The last point would be an automated IoT threat feed consumption by the tool.

MH
Head of Information Security at a retailer with 1,001-5,000 employees
Real User
2020-07-26T08:19:00Z
26 July 20

The false positives and the tuning side of it are some things that could use improvement but that could be from our side. I don't want to criticize the product for performance with our role out of it. It does what it says it's going to do very well. We've got issues with the way we've deployed it in some places, but the support we've had in that is very good as well, so I'm very happy with the support we get.

Learn what your peers think about Vectra AI. Get advice and tips from experienced pros sharing their opinions. Updated: September 2022.
635,987 professionals have used our research since 2012.
JM
Manager, IT Security at a energy/utilities company with 201-500 employees
Real User
2020-06-03T06:54:00Z
03 June 20

I would like to see a bit more strategic metrics instead of technical data. Information that I could show to my executive management team or board would be valuable. I would like to see some improvements on the integration aspects of it. They are getting better in this. However, most organizations have a plethora of cybersecurity solutions that they run, and I think that there is a bit more that could be done on the integration side.

ZM
Information Technology Security Engineer II at a mining and metals company with 10,001+ employees
Real User
2020-05-28T06:26:00Z
28 May 20

It does a little bit of packet capture on alert so you can look at the packet capture activity going on, but it doesn't collect a whole lot of data. Sometimes it's only one or two frames, sometimes it does collect more. That's why they have the addition of their Recall platform, because that really does help expand the capability. I would also like to see more documentation or user guides about using the product.

EW
Director, Information Security at a university with 5,001-10,000 employees
Real User
2020-05-27T08:03:00Z
27 May 20

Some of their integrations with other sources of data, like external threat feeds, took a bit more work than I had hoped to get integrated. I think the company has been very responsive, willing to take our feedback, and look at addressing our concerns. I have asked that they give direct packets capabilities.

Mark Davies - PeerSpot reviewer
Security Operations Specialist at a tech services company with 1,001-5,000 employees
Real User
2020-05-13T09:16:00Z
13 May 20

The solution's ability to reduce false positives wasn't very good, initially, because it was picking up so much information. It took the investment of some time and effort on our part to get the triage filters in place in such a fashion that it was filtering out the noise. Once we got to that point, then there was definitely value in time-savings and in percolating up the high-risk events that we need to be paying attention to. I'd like to be able to get granular reports and to be able to output them into formats that are customizable and more useful. The reporting GUI is lacking.

RM
Cyber Security Analyst at a financial services firm with 1,001-5,000 employees
Real User
2020-01-12T07:22:00Z
12 January 20

We would like to see more information with the syslogs. The syslogs that they send to our SIEM are a bit short compared to what you can see. It would be helpful if they send us more data that we can incorporate into our SIEM, then can correlate with other events. We have mentioned this to Vectra. It does some things that I find strange, which might be the artificial intelligence. E.g., sometimes you have a username for a device, then it makes another. It detects the same device with another name, and that's strange behavior. This is one of the things that we have with Vectra support at the moment, because the solution is seeing the device twice.

John Vicencio - PeerSpot reviewer
Cyber Specialist, Forensics at Richemont
Real User
2020-04-30T10:58:00Z
30 April 20

Some of the customization could be improved. Everything is provided for you as an easy solution to use, but working with it and doing specific development could be worked on a bit more in the scope of an incident response team. In my opinion, it's built as a solution for everything, instead of it being part of a bunch of other tools. For example, we have a source solution which will orchestrate the ability for us to use a host EDR and the ability for us to use Vectra. We see Vectra from a purely network standpoint. Therefore, we don't want it to be the incident manager where we have to fill in specific things to be fixed. We think the integration with source solutions could be better. It tries to treat itself as an incident resolution platform.

AG
Sr. Specialist - Enterprise Security at a mining and metals company with 5,001-10,000 employees
Real User
2020-03-04T08:49:00Z
04 March 20

One thing which I have found where there could be improvement is with regard to the architecture, a little bit: how the brains and sensors function. It needs more flexibility with regard to the brain. If there were some flexibility in that regard, that would be helpful, because changing the mode of the brain is complex. In some cases, the change is permanent. You cannot revert it. I would like to see greater flexibility in doing HA without having to buy more boxes just to do it. Another area they could, perhaps, look at is with OT (operational technology) specifically. Vectra is very specific to IT-related threats. It really doesn't have OT in its focus. We are using another tool for that, but maybe that is another area they can consider venturing into. It's being used by my team of four or five people. Once we hand it over to operations, then the team size will increase significantly. It will grow to about 10 to 15 people.

SR
Global Security Operations Manager at a manufacturing company with 5,001-10,000 employees
Real User
2020-02-25T06:59:00Z
25 February 20

You are always limited with visibility on the host due to the fact that it is a network based tool. It gives you visibility on certain elements of the attack path, but it doesn't necessarily give you visibility on everything. Specifically, the initial intrusion side of things that doesn't necessarily see the initial compromise. It doesn't see stuff that goes on the host, such as where scripts are run. Even though you are seeing traffic, it doesn't necessarily see the malicious payload. Therefore, it's very difficult for it to identify these type of host-driven complex attacks. It only shows us a view of suspicious behaviours. It doesn't show us a view of key or regularly attacked company targets. This could be because we don't have one of the other tools or products that Vectra provides, such as Stream or Recall. My challenge with the detection alerting platform, Cognito, is it tells us this host is behaving suspiciously and is targeting these other machines, but it won't give you a view when a host is the target of multiple attacks. This because you may have a key assets, such as domain controllers or configuration management servers. These are key assets which may get targeted. If you're a savvy attacker, you spread out your attack across multiple sources to try and hide them across the network. That is where the solution falls a bit short. It is trying to build that chain of relationships across detections and also trying to show detections from a perspective of a victim rather than the perspective of an attacker. I have expressed these concerns to Vectra and they are currently in as feature requests. There is another feature in place which takes additional data feeds, such as DHCP IP allocation data. Their inputs are taken from Windows event logs, and that's the format they have in place. They use that to provide them with a more accurate view of host identities. If you are only relying on IP addresses, and IP addresses change over time, it's sometimes very difficult to show a consistent view of a system behaviour over time, as the IP can change per month. Unfortunately, because their DHCP data is taken from Windows host events and our DHCP data is taken from a Palo Alto system that generates the IP leasing, the formats are incompatible. I think taking different formats for that type of data is something else we have a feature request in for. At the moment, we don't have an accurate view, or confidence, that they are resolving when an IP address changes from host to host. So, we may be missing an accurate view of risk on some of those hosts. We also have the same problem with VPN and Citrix. E.g., if you're on the network and on IP address A, then you come in via the VPN, you're now on IP address B. Thus, if you're spreading your suspicious behaviour across both the internal network and VPN, then across Citrix, we don't get to join all that information up. They are seen as three different systems, so it causes a bit of a problem trying to correlate that type of event data.

LW
Head of Information Security at a insurance company with 1,001-5,000 employees
Real User
2020-01-05T07:29:00Z
05 January 20

Room for improvement depends on how their strategy and roadmap develops, as they have a lot of third-parties that they integrate with, e.g., more orchestration around what alerts and what to do with afterwards. They don't pretend to be working in that space. That is a third-party type activity. There are always the little things that they could do a bit better, like grouping or triage filters. Clearly, they've taken that onboard and developed those over the course of the last 18 months to two years to put these additional functions in. My guys are constantly saying, "Oh, it'd be useful to do this and useful to do that." The solution has not reduced the security analyst workload in our organization because we still need to SIEM. Unfortunately, while Vectra, for us, is a brilliant tool for network investigations, giving wonderful visibility, it doesn't go the whole way to replace our SIEM that is needed for compliance. So, I still have the same amount of alerting and logging that I did before. It gives us more defined ability to see incidents, but it doesn't give us enough information to satisfy a PCI or 27001 audit.

Related Questions
Mazin Al-Shuaili - PeerSpot reviewer
Head Of Retail Operations at a financial services firm with 201-500 employees
Jun 09, 2020
Hi community, I have around ten years of experience working in the finance industry. I am evaluating Corelight and Vectra AI. What is the biggest difference between the two? Which would you recommend? Thanks! I appreciate the help.
2 out of 5 answers
JG
Chief Marketing Officer at Vectra
13 February 20
The two platforms take a fundamentally different approach to NDR. Corelight is limited to use cases that require the eventual forwarding of events and parsed data logs to a security team’s SIEM or data lake. You then rely on an open-source community for things like detections. Vectra not only does that – but also enriches the underlying data. It is also delivered as an investigative workbench that includes out-of-box detections that highlight and prioritize attacker behaviors and campaigns. Perhaps just as importantly, Corelight has few integrations whereas Vectra natively integrates with parts of infrastructure like EDR, orchestration and network security products.
OseremeOsobase - PeerSpot reviewer
Director at Baverianvine
13 February 20
I would recommend you look at Darktrace instead. Extrahop and the new kid on the block, Awake security are also recommended.
Miriam Tover - PeerSpot reviewer
Service Delivery Manager at PeerSpot (formerly IT Central Station)
Oct 14, 2021
If you were talking to someone whose organization is considering Vectra AI, what would you say? How would you rate it and why? Any other tips or advice?
2 out of 15 answers
LW
Head of Information Security at a insurance company with 1,001-5,000 employees
05 January 20
People do a lot more than we actually see. Looking at the test and development guys, sometimes they do things that they don't understand. So, they will do it because it works. The actual things that are behind the scenes are the sort of things that happen, and they don't really understand. If there's something that's really complicated, they're people that have initiated it that don't really know what it is. That is always a problem, because in our sort of company, we have a lot of developers who are doing a lot of coding and things like that, but they're not 100 percent on all the other things that they affect, such as the supporting applications underneath it. They are making a change on one particular app, but it's using the other apps underneath it to develop that and push that across to something else. All these extra, different steps that they are completely oblivious to where we go, "Actually, you've just done this." They go, "Well, I don't know, I just ran the script over here. I don't know why that would happen." But, it'll do a LDAP lookup or connect to a share. Those are the sort of things that you get a lot of visibility from people who don't understand. So, that can become tricky. That's pretty much par for the course for a lot of security tool sets. Where you have a couple of people who know one particular aspect, but don't really understand everything that's going on. To be fair, IT is a big area. You can't expect everyone to know everything of everything, not when you're not working in a massive IT structure, and the security team is a small department. You need to be quite key on your business case and what you're expecting from it. Be 100 percent sure on your use cases. It's an excellent tool. It doesn't create a huge amount of overhead, but it is a tool that you need to keep on top of. The more you keep on top of it and get it right at the start, the easier it will make your life going forward. Don't just stick it in, then leave it to whirl away as a lot of people do. You have to spend that bit of extra time, and it's not huge amount of time, and leverage other teams. The way they do their customer success is really good. There's nothing bad that I've got to say apart from the costs, but nothing's free, is it? It has to be up there with my favorite security tool set at the moment. I am quite lean on scores, but the solution is definitely nine (out of 10). If I look at all my other security tool sets, this is the one that my guys value the most.
RM
Cyber Security Analyst at a financial services firm with 1,001-5,000 employees
12 January 20
Start small and simple. Work with the Vectra support team. The solution’s ability to reduce false positives and help us focus on the highest-risk threats is the tricky part because we are still doing the filtering. The things it sees are out of the ordinary and anomalous. In our company, we have a lot of anomalous behavior, so it's not the tool. Vectra is doing what it's supposed to do, but we need to figure out whether that anomalous behavior is normal for our company. The majority of the findings are misconfigurations of servers and applications. That's the majority of things that I'm investigating at the moment. These are not security risks, but need to be addressed. We have more of those than I expected, which is good, but not part of my job. While it's good that Vectra detects misconfiguratons, there are not our primary goal. The solution is an eight (out of 10). We don't investigate our cloud at the moment.
Related Articles
Davina Becker - PeerSpot reviewer
Content Editor at PeerSpot
Sep 11, 2022
Enterprises are increasingly facing multiple network monitoring challenges, like tracking, monitoring, and improving network performance. Addressing these challenges with a Network Traffic Analysis (NTA) solution helps an organization avoid various network monitoring challenges with proactive strategies. PeerSpot real users of Network Traffic Analysis note the advantages of this type of solut...
Netanya Carmi - PeerSpot reviewer
Content Manager at PeerSpot (formerly IT Central Station)
Apr 06, 2022
PeerSpot’s crowdsourced user review platform helps technology decision-makers around the world to better connect with peers and other independent experts who provide advice without vendor bias. Our users have ranked these solutions according to their valuable features, and discuss which features they like most and why. You can read user reviews for the Top 8 Network Detection and Response (ND...
Related Solutions
Related Articles
Davina Becker - PeerSpot reviewer
Content Editor at PeerSpot
Sep 11, 2022
3 Non-Traditional ROIs for a Network Traffic Analysis Solution
Enterprises are increasingly facing multiple network monitoring challenges, like tracking, moni...
Netanya Carmi - PeerSpot reviewer
Content Manager at PeerSpot (formerly IT Central Station)
Apr 06, 2022
Top 8 Network Detection and Response (NDR) Tools for 2022
PeerSpot’s crowdsourced user review platform helps technology decision-makers around the world to...
Download Free Report
Download our free Vectra AI Report and get advice and tips from experienced pros sharing their opinions. Updated: September 2022.
DOWNLOAD NOW
635,987 professionals have used our research since 2012.